| Internet provides great convenience for information sharing and interaction, but the subsequent problem of network security is increasingly obvious. As one kind of active information security assurance, Intrusion Detection Systems (IDSs) are usually considered the second line of defense to protect against malicious activities along with the prevention-based security mechanisms such as authentication and access control. However, traditional intrusion detection systems have three main deficiencies: too high false alert rate, too much alerts, too small information in alerts, all these can overwhelm the system administrators, and thus prevent them from adequately understanding and mastering the security state of the network, and initiating appropriate response in a timely fashion. Therefore, how to re-analyze and re-organize alerts, including removing redundant alerts and merging trivial alerts, is the problem which need to be solved immediately in intrusion detection realm. For solving the problem, alert correlation and analysis is becoming the research point in this realm.Firstly, this thesis analyzes the character of alert provided by Intrusion Detection System, divides different alert correlation and analysis method into two kinds, to redundancy and to time-series relationship method and proposes the design project of alert correlation and analyze engine in IDS. The engine includes four steps: removing redundant alerts, merging alerts with time-series relationship into one alert, evaluating alerts' priority and giving the ranked alert to security managers.Secondly, this paper analyzes and compares alert correlation and analyze algorithm for time-sequence. The algorithms mainly include attack-script-based and causal-relations-based alert correlation and analyze algorithm. Since the algorithms can't fully correlate alert when there is absence alert, this paper proposes a dynamic alert correlation and analyze algorithm based on rule. The simulation experiments certificate the effectiveness and efficiency of the algorithm.Finally, this paper introduces the concept of "cost-sensitive", proposes cost-sensitive-based alert correlation and analyze algorithm. Through establishing the cost model, the algorithm calculates the damage-cost and response-cost of alerts, confirm the priority of alerts and improve the effective of security managers. There are many algorithms to distinguish the alerts' priority, but this is the first time to... |
PDF Full Text Request